Indirect Assignment of Authorizations in SAP ERP HCM

  • by Prashant Rastogi, Associate Manager, Accenture
  • December 16, 2011
Learn how to implement position-based authorizations in your organization. Discover the advantages and pitfalls of having position-based authorizations.
Key Concept
The SAP general authorizations assignment concept is divided into two types: the direct assignment type, in which the user ID is directly assigned to a role, and the indirect assignment type, in which the user inherits the role through the position. Although the direct assignment type is commonly used when implementing an SAP system, the indirect assignment type is becoming increasingly popular with companies that have a strong focus on HR and rely on the position-based segregation of duties.

A position-based authorization approach (also called indirect assignment) is predicated on the fact that positions stay with companies, while employees may not. Therefore, by basing a job on the position rather than on the employee, companies can reduce maintenance and ensure that their security needs are met.

Overview of the Functionality

In the SAP environment, users require appropriate authorizations to perform their tasks. A security administrator can assign the roles required directly by using transactions SU01, SU10, and PFCG. However, if an employee leaves the organization and is replaced, the assignment of the role to the user ID must be done again.

There are two ways to avoid having to re-do this assignment. The first method is to attach the user ID of the former employee to the new hire along with the role (i.e., direct assignment). The second method is the indirect role assignment or position-based authorization, in which the role is assigned to the position — not the user. This second method saves a lot of time and effort because, as the role is position based, it does not need to be reassigned every time a new employee takes the position.

Because Organizational Management (OM) object data is the backbone of the position-based authorization approach, inheritance plays a major role. Common roles can be attached to organizational units, jobs, functional areas (in enhancement package 4), and job families (enhancement package 4), which ultimately are cascaded down to individual positions via evaluation paths. A classic example of this is the employee self-service role (back end). This role is generally assigned to all employees and, hence, can be attached to the root organizational unit of the current organizational structure. You can then modify the standard evaluation path for this requirement.

Prashant Rastogi

Prashant Rastogi works at Accenture as an SAP HCM associate manager. He has been working in SAP ERP HCM for the past seven years in various assignments. Prashant has experience in implementing ESS, MSS, SAP ECM, Performance Management, Succession Planning, Talent Management, OM, PA, and Nakisa. Prashant has an MBA (HR) along with a master’s in law and labor welfare. He is also an engineer in IT.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.